Tech Talk Outline - caecommunity.org

19

Transcript of Tech Talk Outline - caecommunity.org

Tech Talk Outline

• My background

• Equifax Breach

• In brief

• Timeline

• Selected Details

• Threads to pull

• Q & A

2 of 19

The 2017 Equifax breach details provide for the cybersecuritycommunity an extremely rich Case Study of any duration: single lesson,½ day, full day, week-long, month-long, semester-long.

My Background

• AUG 2017 – Present: Computer Science Lecturer, UNCW

• JUL 2016 – Present: Cyber Reconnaissance Inc (CYR3CONTM)

• Cybersecurity startup (CEO Paulo Shakarian ASU) specializing in machine-

learning driven threat prediction based on hacker information

• 1992 – 2016: US Army

• Director IT Modernization (Cybersecurity, Intelligence, Operations, Logistics)

• Course Director, United States Military Academy, West Point

• CISO, 82nd Airborne Division (15 mo Afghanistan)

• IT Deputy Director for Operations, Projects, and Security

• NATO HQ, Senior Web Systems Manager

• https://www.linkedin.com/in/geoffstoker/

3 of 19

Equifax Breach in Brief

• On 7 SEP 2017, Equifax announced a cybercrime identity theft event potentially

impacting 145+ million U.S. consumers.

• The attack started in mid-MAY, the breach was observed/detected 29 JUL.

• Information accessed by the hacker(s) in the breach included:

• First/last names, SSNs, birth dates, addresses, and, in some instances,

driver's license numbers.

• Equifax said the breach was facilitated using a flaw in Apache Struts 2

• CVE-2017-5638: A patch for the vulnerability had been released on 7 MAR.

• Equifax shares dropped 13% the day after the breach was made public.

4 of 19

5 of 19

Equifax Breach Reactions

• Why the Equifax breach should never have happened (Lessons from an epic fail)

• Equifax CEO Richard Smith Who Oversaw Breach to Collect $90 Million

• Equifax Breach Response Turns Dumpster Fire

• Equifax hired a music major as chief security officer and she has just retired

• EQUIFAX OFFICIALLY HAS NO EXCUSE – WIRED

• House Committee on Oversight and Government Reform

• DEC 2018, released 96-page report

• “…culture of cybersecurity complacency…”

• “…breach was entirely preventable…”

• “Equifax failed to fully appreciate and mitigate its cybersecurity risks.”

6 of 19

7 MARCVE-2017-5638Apache Struts

13 MAYACIS* breached

29-30 JULBreach discoveredACIS taken offline

7 SEPEquifax announces

the breach

March April May June July August September October

*Automated Consumer Interview System (ACIS) – custom-built system to address the requirement of the Fair Credit Reporting Act (signed into law by President Nixon, 1970) that credit bureaus have a system in place to disclose information to consumers and manage disputes on consumers’ credit files. The ACIS environment is described as 2 web servers and 2 application servers w/ firewalls at the perimeter of the web servers.

7 of 19

March April May June July August September October

March• 7 – CVE-2017-5638 disclosed; Apache Struts 2 vulnerability

• 8 – DHS/US-CERT send alerts to prioritize patching; email received at Equifax

• 9 – Equifax Global Threat and Vulnerability Management (GTVM) team email distro

to 400+ people; directs patching w/in 48 hour; scans are run, nothing found

• 10 – Hackers scan, detect, and exploit the Apache Struts vuln related to ACIS

• 14 – Emerging Threats team release a Snort signature rule; Equifax

Countermeasures team installs the rule on IDS/IPS

• 15 – Equifax received from McAfee a new signature rule to detect vulnerable

versions of Apache Struts and use the McAfee Vulnerability Manager to scan 958

external facing IPs (twice), but again nothing is found

• 16 – GTVM highlights Struts vuln at monthly meeting; slides distro’d to 400+ people

8 of 19

March April May June July August September October

May – July• 13 MAY – ACIS operating with Apache Struts 2 vulnerability is exploited

• Thru 30 JUL – hackers move around Equifax systems conducting: 9,000+ queries

against 51 databases over ~76 days

• Steal data on 145.5+ mil US consumers & 1+ mil foreign consumers

• 29 JUL – Equifax detects breach

• Certificate on an SSL visibility appliance monitoring the ai.Equifax.com domain

had expired 31 JAN 2016; at 9pm local (Alpharetta, GA data center) the

Equifax Countermeasures uploads 67 new SSL certs, reviews packet captures

to ensure decryption is working, and see suspicious traffic from an IP in China

• 30 – after further testing/observation, ACIS taken offline at 12:41pm local

• 31 – incident reporting makes it to CEO, Richard Smith

9 of 19

March April May June July August September October

August• 2 – FBI notified; Mandiant contracted to conduct comprehensive forensic review

• 11 – Mandiant identified potential access to consumer PII

• 15 – CEO informed that consumer PII was likely stolen

• 17 – CEO, CIO, CLO, CFO, ACIS lead, Mandiant convened meeting as it was

confirmed that large volumes of consumer data had been compromised

• 24-25 – CEO informs Equifax Board of Directors of the breach

• Late August – Equifax prepares for breach recovery by standing up a website for

individuals to find out if they were affected and a call center staffed by 1,500

temporary employees

10 of 19

March April May June July August September October

September – October• 4 – Equifax & Mandiant complete the initial list of 143 million consumers affected

• 7 – Equifax announced breach

• 15 – CIO & CSO retire early; additional details provided to the public

• 26 – CEO retires early

• 2 OCT – Mandiant forensic analysis reported as complete

• SVP fired for failing to forward the original US-CERT email

• 3 – Former CEO, Richard Smith, testifies before Congress blaming human error and

failure to communicate the need to patch as reasons for the breach

11 of 19

CVE-2017-5638 (1/3)

• The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x

before 2.5.10.1 has incorrect exception handling and error-message generation

during file-upload attempts, which allows remote attackers to execute arbitrary

commands via a crafted Content-Type, Content-Disposition, or Content-Length

HTTP header, as exploited in the wild in MAR 2017 with a Content-Type header

containing a #cmd= string.

• Upgrade Struts 2.3.5 – 2.3.31 and 2.5 – 2.5.10

12 of 19

CVE-2017-5638 (2/3)

• Easy to scan internet for this vuln (via Google dorks):• intitle:"Struts Problem Report" intext:"development mode is enabled."

• Easy to exploit:

13 of 19

CVE-2017-5638 (3/3)

• Hard to patch:

• Upgrade to Struts 2.3.32 or 2.5.10.1

• Struts is NOT a system library (Windows/Linux OS)

• Affected web apps must be rebuilt/recompiled with the patched version

• Web apps “finished” since late 2012 (5-yr old vuln) from 2.3.5

• Multipart parser problem or OGNL problem?

• Apache Struts supports Object-Graph Navigation Language

• OGNL can create/change executable code

14 of 19

Vulnerability Mitigation

• 2% actually exploited• 22% published PoC exploits

• Using CVSS score to prioritize provides results similar to random

• Most vulns are NEVER exploited in the wild

15 of 19

Equifax 2015 Patch Mgmt Audit

Findings Complete By

Untimely remediation of vulns; manual patching; old systems 31 DEC 2016

No comprehensive IT asset inventory 30 JUN 2017

Untimely & reactive patching 31 DEC 2016

Vulns not tracked, prioritized, monitored 2017

New systems/changes not scanned prior to use 31 DEC 2015

No Windows server hardening standards 31 MAR 2016

Inconsistent patch testing 30 JUN 2016

Patch prioritization did not consider IT asset criticality 31 DEC 2015

16 of 19

Kansas City Shuffle?

• US-CERT Cyber Security Bulletin

• Week of 6 MAR 2017: 96 High vulns (CVSS 7.0 – 10.0)

• Week of 13 MAR 2017: 46 High vulns

• Adobe Flash CVSS 10.0

• Apache Struts CVSS 10.0

• CVE-2017-0143 (0144, 0145, 0146, 0148)

• CVSS 9.3

• 12-15 MAY 2017

• 230,000 computers

• 150 countries

17 of 19

Business – Growth thru Acquisition

• Acquired 9 companies 2011-2017

• 15 DEC 2005: $37.80 share price; ~$3.x B market cap

• 26 SEP 2017: $106.05 share price; $12.7 B market cap

• (1 SEP: $142.72; $17 B – today: $125.30; $15.2 B)

18 of 19

Threads to Pull (or Follow)

• Who’s to blame?

• Equifax

• Business growth

• Acquisitions

• C-level organization

• Human Resources

• Business processes

• Cyber team discipline

• Government organizations

• Government rules

• Apache Struts project

• Software supply chain

• Cybersecurity

• Vulnerability management

• Threat intelligence

• Tools

• Processes

• Crisis management

• Public relations

• Hacker Cooperation

• Law, Ethics, Philosophy

• Deterrents?

• Auto accidents

Questions / Comments ?